NCSC Cyber Incident Response Scheme

The National Cyber Security Strategy sets a strategic objective of enhancing national prosperity and national security by making the UK more resilient to cyber attacks. Such attacks can vary in terms of persistence, sophistication and impact.

There is a range of guidance to help organisations maintain cyber defences, such as NCSC’s Good Practice Guides and ‘10 Steps to Cyber Security’, and information published on the CPNI website. There continue to be occasions where attackers successfully breach the corporate networks of organisations based or located in the UK. This may be due to basic defences not being maintained adequately. However, it may also be due to the targeting and sophisticated techniques employed by determined, well resourced cyber attackers.

Where an organisation has been attacked, its most immediate concerns are likely to be:

what action needs to be taken?

who has the proven knowledge and experience required to contain and eradicate the incident?

A twin track approach is being taken for certified Cyber Incident Response services:

a broadly based scheme managed by industry professional body, endorsed by NCSC and CPNI, and delivered by industry. This scheme focuses on appropriate standards for incident response aligned to demand from industry, the wider public sector and academia. Initially this scheme will be administered by CREST: additional professional body-led schemes may be added should they emerge in future.

a small and focussed Government run Cyber Incident Response scheme certified by NCSC and CPNI where capable industry partners deliver services focussed on responding to sophisticated, targeted attacks against networks of national significance. Organisations affected by such an attack should approach one of the NCSC/CPNI certified CIR providers.

Organisations wishing to join the CREST CSIR Scheme will need to sign a Non-Disclosure Agreement (NDA) with CREST. On receipt of the signed NDA CREST will issue an application form. The organisation will be required to complete all parts of the application and submit it to CREST. The application will be reviewed in detail and where necessary areas of concern will be highlighted in a formal letter to the applicant company. Once the paper application has been completed to a satisfactory standard, a site visit will be required to validate the claims made on the application and to remind the organisation of its obligations under the code of conduct. Once this has been completed and membership payment received the company will be entered onto the CREST register under the Cyber-Security category.

For existing CREST penetration testing member companies, many of the questions regarding the quality of the service and the policies, processes and procedures for the protection of client based information will already have been completed and will have been assessed. Existing CREST Penetration Testing Member companies will also have already signed up to the CREST Code of Conduct and signed an NDA. An existing member company should therefore request an application form and will be required to complete the sections relating to the Cyber-Security Incident Response service. Once completed this section will be reviewed and assessed in line with the process for new members as outlined above. There have been some updates to the existing CREST application form. All existing CREST organisations will be required to complete the new application form as part of their three year renewal cycle. The new questions reflect ‘recognised best practice’ and therefore organisations should consider completing all parts of the new form.

CREST fully recognises the sensitivity of the material provided as part of the company assessment process. All applications submitted to CREST are only seen by CREST employed staff. No information is passed to the member company representatives of neither the CREST Executive nor any other parties regarding the submission of an application, nor any correspondence relating to the application process. The member company representatives on the CREST Executive have no part in the decision to award or not award CREST membership.

For existing CREST member companies there will be no additional membership charge although an administration fee of £500 plus VAT will be levied against existing CREST members seeking assessment under the additional CSIR category. For companies that are not current CREST members but would like to be CSIR members, the annual fees after passing the company assessment are outlined on the following page – Applying for Company Membership. Membership will provide the company with all the CREST member benefits.

After the initial assessment there will be an annual renewal. This is designed to be relatively easy to complete and looks to validate certain essential elements of the membership process, confirm agreements between the company and CREST and providing an update where existing policies, processes and procedures have been amended or improved. There is no charge for this annual review. CREST reserves the right to subject the company to a full re-assessment requiring a full resubmission of all documents every three years. There will be an assessment fee of £750 plus VAT for this.

CREST announced the first wave of memberships for the CSIR scheme in November 2013 and applications are now received regularly. CREST accepts applications for company membership and membership applications to be included in the CSIR scheme throughout the year.

Please review the Frequently Asked Questions here relating to the NCSC CIR and CREST CSIR schemes and their relationship.